Salesforce expands encryption options with 'bring your own key'

Salesforce.com is stepping up its efforts to woo security-conscious businesses by adding “bring your own key” encryption to its Salesforce Shield cloud services.

Introduced a year ago, Shield offers encryption, auditing and event-monitoring functions to help companies build cloud apps that meet compliance or governance requirements. Encryption is based on keys generated by Salesforce using a combination of an organization-specific “tenant secret” and a Salesforce-maintained master one. Originally, secrets and keys in Shield were generated and managed through Salesforce’s built­-in key-management infrastructure, accessed through a point-and-click interface.

“That satisfied the needs of the vast majority of customers,” said Brian Goldfarb, Salesforce’s senior vice president for App Cloud marketing. “But in regulated industries, there are some who want more.”

Targeting organizations in such tightly controlled industries — healthcare and life sciences, for example — BYOK encryption gives users the option of generating and supplying their own tenant secret to create encryption keys in Shield. They can then manage those tenant secrets independently of Salesforce through their existing hardware security module (HSM) infrastructure, through open-source crypto libraries such as OpenSSL, or through third­-party services such as AWS Key Management Service. Salesforce has also partnered with key-brokering companies including Vormetric and Skyhigh as another administration option.

“This is pretty darn important,” said John Kindervag, a vice president with Forrester. “Without the ability to control your own key materials, how can you be sure you and only you are controlling access rights and your own data?”

It will benefit any company that uses data that’s “somewhat sensitive and could get them in trouble if it leaks,” Kindervag said.

The feature could also help alleviate data-sovereignty concerns by making it easier to encrypt data and control the encryption, he added.

“Eventually, everyone will come to their senses and realize that the real solution for sovereignty is encryption, not building data centers in various countries,” Kindervag said.

The new BYOK feature is in pilot testing, with general availability planned for later this year. It will be included at no extra charge with the Salesforce Shield platform-encryption module.